Support for ESXi #116
Comments
|
Hi Kasey, contributions are always welcome 🙏
I think we need to see if we just need to adapt a few things or if we should create a specific ESXi baseline. Do you already have some ideas about required changes?
…Sent from my iPhone
On 13. Jun 2019, at 13:56, Kasey Linden ***@***.***> wrote:
Is your feature request related to a problem? Please describe.
I would like to use Inspec to validate the configuration of ESXi
Describe the solution you'd like
Utilizing Inspec validate that a ESXi system is hardened appropriately.
Describe alternatives you've considered
Looked into create SCAP content. This looked very painful.
Additional context
Ideally I would like to create this for DISA STIGs eventually.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I haven't yet since I am just getting into using inspec. I saw that there was an inspec-vmware module being developed, but further development on it was stopped and instead power-cli will be used. The little documentation that I have read so far on this has been confusing. I'm not sure if there is a plugin to run powershell/powercli commands and then validate the output or if you literally just need to run a command. Some of the ESXI controls will just be standard linux checks such as Thoughts? |
|
I suppose there should actually be a esxi-baseline project instead. What I originally came to the linux-baseline project for was to create an issue to support Photon OS, but then decided ESXi should be done first. |
|
@kclinden I agree, with your assessment. First InSpec needs to support the basic platform detection in train. Once that is in place, it should work as expected. I have not played with ESXi since a while but InSpec should have support for that. Therefore building a baseline for that is a great idea. Just create a new baseline and reuse the old PowserCLI resource from https://github.com/chef-boneyard/inspec-vmware. If you want to contribute the baseline to devsec, please let me know. I am not sure how far InSpec is in regards of PhotonOS support. That sounds interesting. Are you using it for K8s deployments? |
|
Here is my draft profile for the latest ESXi 6.5 STIG. I have done a first pass on a large portion of the PowerCLI based checks. The rest will be SSH, and it sounds like they would have to be in a different profile since it will require a different transport method. How do I contribute this profile to dev-sec, and continue to work on it there? |
|
Is the link missing? Should we close this in favor of dev-sec/dev-sec.github.io#46? |
|
I would say this one can be closed, and yep I forgot the link! Here you go - https://github.com/kclinden/esxi-65-stig-v1r1 |
|
Thank you @kclinden |
Is your feature request related to a problem? Please describe.
I would like to use Inspec to validate the configuration of ESXi
Describe the solution you'd like
Utilizing Inspec validate that a ESXi system is hardened appropriately.
Describe alternatives you've considered
Looked into create SCAP content. This looked very painful.
Additional context
Ideally I would like to create this for DISA STIGs eventually.
The text was updated successfully, but these errors were encountered: